May 6th, 2017

Last month Visa, MasterCard and Symantec, amongst others, reported a BGP ‘mishap’.

Internet traffic going to Visa, Mastercard, security company Symantec and a couple of dozen others were rerouted for a few minutes to a Russian internet provider. Did they get your credit card information? Probably not. Do you have to worry or still have to worry? Yes. People love to use Visa and Mastercard in the headlines because it makes you click on the story. But the Visa website doesn’t process your credit card purchase, companies run processing gateway services do and that isn’t what was “attacked” here. More concerning should be the fact Verisign and Symantec were part of the event. They do provide services directly to users and if you have downloaded or even “logged-in” to a fake site, it can start to cause real problems.

Recent discussions of ways to mitigate these BGP issues often revolve around complex BGP solutions yet a credible simple solution has been available for over a decade, as I presented in 2005 at NANOG35.
Perimeter protection and trust are key to halting BGP-based attacks. Networking peers trust each other but if they have a client that is untrustworthy and the perimeter is not protected, the network is only as trustworthy as their client.

Protecting the perimeter not only protects the network as a whole from malicious activity but also from bonafide human errors,  which can have the same results as Visa, MasterCard, Symantec, and others reported. Who to filter and how is an issue that goes back to a time when the internet was a less hostile place, and the focus was on sharing information, those days are sadly long past, and as the Internet has become part of all our daily lives we need to do a better job of self-policing. Protection our clients, our friends, our families, ourselves and our networks.

There has always been a balance between security and usability, we love to say it’s hard, but sometimes it is easier than we think.